May 11, 2005

NIS for authentication/authorization?

Disclaimer: This is just wild brainstorming, and
doesn't necessarily reflect any particular plans
or goals of my employer (at this point, anyhow).

The March issue of Linux Journal included part 2
of a 2-part thing on Centralized Authentication and
Authorization by Alf Wachsmann. While the article
acknowledge LDAP as a capable option for open-
source centralized authentication, it suggested
that the older NIS standard can be lighter on the
server, lighter over the wire, and easy to integrate
with filesystem auth for various kinds of groups.

The only real negative I've heard about NIS is that
there were security issues, but Dr. Wachsmann's
article mentioned something about integrating NIS
with Kerberos, which I've heard is very secure. He
also suggested tweaks so that NIS only talks to
systems within given IP ranges, rejecting others.

One thing I've heard about NIS that appeals to me
is that it looks to various applications - I would
hope Samba, for instance - just like traditional
UNIX auth/auth, meaning an app may not require
much customization to get the benefits of NIS.
Tying Samba into LDAP takes some tweaking.

I don't know if this is true but am curious about
anything that simplifies management of user
accounts and rights and keeps overhead on the
server and network to a minimum. So, I'm curious...

a. Do you use NIS for authentication/authorization?
b. Do you use Samba in conjunction with this stuff?
c. Do Windows clients connect to your NIS domain?
d. Is your connection from Windows to NIS secure?

...and anything that's relevant.

An entirely separate question is how and whether
this could somehow be tied into X.500 passwords.
If NIS won't do or can't be made secure enough
then it's not even worth trying to tie into X.500.

Posted by tapli005 at May 11, 2005 9:23 AM